On Fri, Apr 17, 2015 at 1:43 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 04/17/2015 01:31 PM, Steve Huston wrote:
> You also need allow user_t condor_startd_t:process getattr; to see the
> process labels.
>
> I doubt you need lock or ioctl permissions; they tend to get lumped in
> together with read.
Made these changes and it works perfectly. Thank you kind sir.
> You could alternatively write your rules using macros from the
> refpolicy, e.g.:
> allow user_t condor_startd_t:file read_file_perms;
> allow user_t condor_startd_t:dir list_dir_perms;
> allow user_t condor_startd_t:lnk_file read_lnk_file_perms;
>
> or even using a macro that captures all of these rules in one call, e.g.
> ps_process_pattern(user_t, condor_startd_t)
I'll leave these in my evernote folder for "some day I should learn
this better" :D
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
